Systems and methods for testing and evaluating an intrusion detection system
First Claim
1. A method for testing an intrusion detection system usable to detect attacks against a network location, comprising:
- presenting each of a plurality of attack instances corresponding to a given attack to the intrusion detection system being tested, the plurality of attack instances generated by modifying a given attack instance using a plurality of transformation rules of a formal transformation system, the transformation rules substantially preserving the semantics of the given attack instance;
determining, for each presented attack instance, whether the intrusion detection system being tested generated an alert in response to being presented with that attack instance;
evaluating the intrusion detection system being tested based on results of determining, for each presented attack instance, whether the intrusion detection system being tested generated an alert in response to being presented with that attack instance.
2 Assignments
0 Petitions
Accused Products
Abstract
Systems, methods and devices according to this invention include a plurality of defined modification rules for modifying a sequence of packets that form an attack on an intrusion detection system. These modification rules include both rules that expand the number of packets and rules that reduce the number of packets. The reducing rules can be applied to a given attack instance to identify one or more root attack instances. The expanding rules can then be applied to each root attack instance to generate a corpus of modified attack instances. The modification rules can preserve the semantics of the attack, so that any modified attack instance generated from the given attack instance remains a true attack. To test an intrusion detection system, the corpus of modified attack instances can be used to determine whether an intrusion detection system detects every modified attack instance.
-
Citations
20 Claims
-
1. A method for testing an intrusion detection system usable to detect attacks against a network location, comprising:
-
presenting each of a plurality of attack instances corresponding to a given attack to the intrusion detection system being tested, the plurality of attack instances generated by modifying a given attack instance using a plurality of transformation rules of a formal transformation system, the transformation rules substantially preserving the semantics of the given attack instance;
determining, for each presented attack instance, whether the intrusion detection system being tested generated an alert in response to being presented with that attack instance;
evaluating the intrusion detection system being tested based on results of determining, for each presented attack instance, whether the intrusion detection system being tested generated an alert in response to being presented with that attack instance. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A method for generating a corpus of modified attack instances from a given attack instance using a plurality of transformation rules of a formal transformation system, the transformation rules usable to modify an attack instance, each transformation rule substantially preserving the semantics of the attack instance, the attack instance usable against a network, the given attack instance being one element of a set of available attack instances, the method comprising:
-
selecting an attack instance from the set of available attack instances as a selected attack instance;
selecting one of the plurality of transformation rules;
applying the selected transformation rule to transform the selected attack instance to create a modified attack instance, the modified attack instance being another element of the set of available attack instances;
repeating at least one of the attack selecting, rule selecting and rule applying steps a plurality of times to create additional modified attack instances, each such modified attack instance being another element of the set of available attack instances; and
forming the corpus of modified attack instances from at least some of the available attack instances. - View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A corpus of modified attack instances, each attack instance usable to obtain unauthorized access to or use of a network, the corpus of modified attack instances generated by:
-
selecting an attack instance from a set of available attack instances as a selected attack instance;
selecting one of a plurality of transformation rules of a formal transformation system, the plurality of transformation rules usable to modify an attack instance, each transformation rule substantially preserving the semantics of the selected attack instance;
applying the selected transformation rule to transform the selected attack instance to create a modified attack instance, the modified attack instance being another element of the set of available attack instances;
repeating the attack selecting, rule selecting and rule applying steps a plurality of times to create additional modified attack instances, each such modified attack instance being another element of the set of available attack instances; and
forming the corpus of modified attack instances from at least some of the available attack instances.
-
-
20. An intrusion detection system having a set of attack signatures, the intrusion detection system usable to detect attacks against a network location based on the set of attack signatures, at least one of the set of attack signatures being a modified attack signature generated by:
-
presenting each of a plurality of attack instances corresponding to a given attack to the intrusion detection system, the plurality of attack instances generated by modifying a given attack instance using a plurality of transformation rules of a formal transformation system, the transformation rules substantially preserving the semantics of the given attack instance;
determining, for each presented attack instance, whether the intrusion detection system generated an alert in response to being presented with that attack instance;
identifying at least one attack instance for which the intrusion detection system failed to generate an alarm;
identifying at least one attack instance for which the intrusion detection system failed to generate an alarm due to the intrusion detection system lacking a signature that matches that attack instance; and
for at least one such identified attack instance, modifying at least one attack signature presented to the intrusion detection system to form the modified attack signature, the modified attack signature usable by the intrusion detection system to detect the attack instance for which the intrusion detection system previously failed to generate an alarm.
-
Specification